Troubleshooting Contracts for Cloud-Based Products and Services

By Stephen Rawson

One of the most significant (and accelerating) technology trends in public education is the use of cloud-based products and services for the enhancement of educational programs. A 2013 study by Fordham Law School revealed that 95 percent of school districts use some form of cloud-based services. And while many school districts considering such opportunities would love to have a lawyer who can explain to them the difference between software-as-a-service and platform-as-a-service, uptime and downtime, and 128-bit and 256-bit encryption, what they are really looking for is someone who can answer the following two questions: Can we legally use this service, and are there any problems with the contract terms proposed by the provider? Generally speaking, the answers are yes and yes. But helping the client understand and fix the issues regarding the second yes is critical to maintaining the accuracy of the first.

Most lawyers don’t have the time to learn the technical details of cloud-based products and services. With that in mind, what follows is a brief exploration of the most common pitfalls in cloud computing contracts, and how to address each. As a general rule, smaller companies are more willing to be flexible with their terms than larger companies over whom you have little bargaining power. But at minimum, recognizing the issues below will allow you to present your client with an informed choice about any given opportunity presented by a cloud service provider.

As you consider these issues, remember that most cloud-based services are obtained via a purchase order or other short purchasing agreement rather than a detailed contract. The purchase order will generally make reference to some online Terms of Use or Terms and Conditions as well as a Privacy Policy. Be sure to read those online documents; you may find some of the terms startling. To limit the negative impact of the customary format of these Terms, negotiate with the provider so that you can attach a contract rider to the purchase order that supersedes inconsistent provisions in the online Terms of Use and/or Privacy Policy. Here are a few important considerations in such negotiations:

Who Owns/Controls the Data?

The school’s data is and should remain the school’s. But the Terms of Use for many cloud-based services contain provisions staking an ownership claim to any data that is uploaded to the service. Slightly less aggressive but no less concerning are provisions that grant the service provider a perpetual, royalty-free, fully paid license to any data uploaded to the service. In each of these scenarios, if the district hasn’t modified the terms before signing the purchase order, it will lose control of any and all data provided by the district or individuals using the service. That is a concern under any circumstances, but it also happens to be a violation of FERPA. 34 C.F.R. § 99.31 requires that, in order to disclose education records to a third-party vendor to whom the district is outsourcing a particular function or service, the district must retain “direct control” over the vendor with respect to the use and maintenance of the disclosed data.

To mitigate these issues, include terms in the proposed contract rider clarifying that the school district retains ownership over all data provided to the vendor and prohibiting any use of the data for purposes other than providing the service itself. It is especially important that your agreement prohibit commercial and marketing uses of student data. If you can, secure a term guaranteeing that your data will be stored in the United States. Many cloud server systems are housed elsewhere around the world—if the district’s data is being stored in Siberia, you may have difficulty enforcing ownership rights when you need to retrieve the data or when the data is misused.

Protecting Student Confidentiality

Chances are that any cloud-based service that will be of actual use to your district will require the disclosure of some student data protected by FERPA. The district has an obligation under federal law to protect the confidentiality of education records disclosed to the cloud provider. The best way to protect the district is to incorporate language into the contract rider that addresses the requirements of 34 C.F.R. § 99.31(a)(1)(i)(B). Specifically, the contract should name the provider as a “school official” for the purposes of the agreement, state that the provider will not use or maintain the records except as directed by the district, and acknowledge that provider is bound by the provisions of FERPA, including those regarding redisclosure of education records. Most cloud providers that work with school districts will not balk at these basic terms – if one does, you should question whether that provider is equipped to meet the district’s needs.

Locking In the Terms

A standard term in online Terms and Conditions is one that allows the provider to change those terms at any time without notice to the customer. The company puts the burden on the user to periodically check the online Terms. For obvious reasons, your district’s agreement with the company isn’t worth the paper it is printed on when the company has the right to change the terms at will. Put a term in your contract rider that locks in the online Terms and Conditions, and the Privacy Policy, to those terms as they existed on the date of the purchase order (subject to the superseding provisions in your agreement rider).

Data Security

This is perhaps the most important area of all, and it’s the one where companies will be least likely to make firm promises. Many online Terms will disclaim any guarantee, warranty, or even responsibility for the security of your data, though they will preface such a statement with a flowery declaration about how they value their customer’s privacy and data confidentiality and how they are committed to working toward the most secure network possible. You can and should demand better. Add language requiring that the company use at least “industry standard” security measures, and requiring that they protect your data no less rigorously than their own confidential data. If you can obtain some type of auditing right, do so.

Liability Issues

You can be sure that online Terms and Conditions will have enormously unfair liability terms. Your district will be expected to indemnify the company for anything under the sun, including misconduct by students using the service from home. Terms also often include releases of all legal claims, including those that don’t yet exist. You may even encounter a statement that your “sole and exclusive remedy” under the agreement is to stop using the service. You may meet significant resistance to changing these terms, but your district will be in a much better legal position if you can at least remove the indemnification provisions, especially for conduct of third-parties like students, and if you can avoid releasing future claims. Avoid arbitration clauses as well.

You will also want to plan for security breaches. Your contract rider should allocate liability for lost, stolen or destroyed data. But if you can’t get that strong a term in place, at least push for notice rights. If there is a breach of security related to student data, the district needs to know. Insist on notice within 24-48 hours, including an explanation of the scope of the breach, which students’ data may have been compromised, and the company’s plans to recover the data and prevent future breaches.

Planning for the End

Your district has legal obligations related to access to student records in a timely fashion, so it cannot end up in a situation where data is unavailable for a long period of time or lost entirely. Your contract rider should include provisions that define how the district’s relationship with the provider will end: termination notice periods, what format the data must be returned to the district in (avoid proprietary data formats!), how long the vendor must maintain the data and when the data must be destroyed, etc. It may take six months or more for your district to transition to a new cloud provider—the district will need consistent access to its data during the transition period.

Another consideration is what happens if the cloud service provider goes bankrupt. Many cloud providers are start-up tech companies, and the failure rate for such companies is significant. What happens to your district’s data when the provider goes belly up? If you haven’t planned for this eventuality, your best case scenario may be losing all of the data. There have even been several cases in which cloud providers have declared student data to be a marketable asset in bankruptcy proceedings and sold student information to the highest bidder. Some online Terms of Use explicitly state that the company can sell student data as an asset; do not let a term like that go unchallenged.

Beyond the Contract

Of course, the best cloud computing negotiation strategy in the world is useless if the district doesn’t ask you to review these agreements. Cloud services are often available at the click of a button in a classroom, and the teachers may have no idea that they are entering formal contracts with the provider and putting student data at significant risk. Training district officials to recognize the need for careful review of cloud service Terms of Use and Privacy Policies is a huge first step, and helping the district communicate that same message to the teachers in the classroom is the next. If you can convince everyone involved to think before they click, your district will be much more likely to avoid a major cloud services problem.

As with any area of contract review, there are many more details that could be negotiated in any given cloud computing agreement. The points above are merely an overview of some of the major issues that can help your district avoid unexpected disappointment or even legal liability. Even if you cannot convince particular providers to negotiate on these issues, you can at least present your districts with a clear understanding of the risks they may be taking with any particular provider. Every time some other district’s data is sold in a bankruptcy proceeding or lost in the snows of Siberia, they will thank you.

Steve Rawson is an associate attorney in the Education Section at Tharrington Smith LLP. This article was originally published in the November 2015 issue of Education Law, the Newsletter of the Education Law Section of the North Carolina Bar Association.

Core Practice Areas

The information contained in this article and throughout the Tharrington Smith website is correct and accurate as of the date of publication of the content. This general information should not be relied on as legal advice. While accurate and informative, the content is provided to help you make a qualified decision in choosing a law firm to guide you through your legal matter. To schedule a consultation, call our Raleigh office at (919) 821-4711.